MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46e9abe7ac68378bb171f81629f4e36291c3889af69045179bbe2e1fee5d1a24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46e9abe7ac68378bb171f81629f4e36291c3889af69045179bbe2e1fee5d1a24
SHA3-384 hash: 83e9f825d9630e6aa13fae5554a8ef8178cea93d1906d98570541ab6fdc6a91dd72dc4394b6f54c17c2dada2a55d7ef0
SHA1 hash: 90e707fda5bcac83b5a7d6d25f481b4746fef511
MD5 hash: 0b65c62a9de83a213fce1873edfeb4eb
humanhash: nine-king-lactose-network
File name:0b65c62a9de83a213fce1873edfeb4eb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:924'672 bytes
First seen:2023-03-09 20:16:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7JTDx4DDlWFKqaHkD2SA1CWo0OiPcYGLstWAGXubKkm6HwJxarhdY95fAm:lTIzqOkD2eN0HchLstFlo6HwJxeDyf
TLSH T12B152316A6BC17D3C817863D8FE1782BAD2BE9C905368B9D3C28831F5143953F749A9C
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d9d97c9c9aaeaeab (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
85.31.46.182:12767

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0b65c62a9de83a213fce1873edfeb4eb.exe
Verdict:
Malicious activity
Analysis date:
2023-03-09 20:19:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/955f1d8f-94eb-43ec-a72a-0c9ee4e7596e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373144/
Detection(s):
Win.Packed.Msilheracles-9943143-0
Create hunting rule

Win.Packed.Lazy-9946657-0
Create hunting rule

Win.Packed.Lazy-9951384-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Running batch commands
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
60%
Tags:
packed
Link:
https://www.filescan.io/uploads/640a3e878a02c7ebaf23c55e/reports/7886ea0c-9e3c-4b09-a9cc-0450efe27223/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/46e9abe7ac68378bb171f81629f4e36291c3889af69045179bbe2e1fee5d1a24
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Eternity Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cae198ed-3337-48af-95be-8e750d911585
Result
Threat name:
Eternity Worm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/1190738
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Eternity Worm
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 823614 Sample: eUzft3XoKm.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 70 105 www.google.com 2->105 107 vadimsva.ucoz.org 2->107 145 Malicious sample detected (through community Yara rule) 2->145 147 Antivirus detection for dropped file 2->147 149 Antivirus / Scanner detection for submitted sample 2->149 151 10 other signatures 2->151 12 eUzft3XoKm.exe 4 2->12         started        15 tmp8786.tmp.exe 2->15         started        signatures3 process4 dnsIp5 99 C:\Users\user\AppData\...\tmp8786.tmp.exe, PE32 12->99 dropped 101 C:\Users\user\AppData\...\TC IconsPack v4.exe, PE32 12->101 dropped 103 C:\Users\user\AppData\...\eUzft3XoKm.exe.log, CSV 12->103 dropped 18 tmp8786.tmp.exe 15 4 12->18         started        22 TC IconsPack v4.exe 2 12->22         started        133 162.159.134.233, 443, 49872 CLOUDFLARENETUS United States 15->133 135 cdn.discordapp.com 15->135 file6 process7 dnsIp8 109 cdn.discordapp.com 162.159.130.233, 443, 49702 CLOUDFLARENETUS United States 18->109 153 Multi AV Scanner detection for dropped file 18->153 155 Encrypted powershell cmdline option found 18->155 157 Injects a PE file into a foreign processes 18->157 25 tmp8786.tmp.exe 18->25         started        28 powershell.exe 18->28         started        79 C:\Users\user\AppData\...\TC IconsPack v4.tmp, PE32 22->79 dropped 159 Obfuscated command line found 22->159 30 TC IconsPack v4.tmp 3 20 22->30         started        file9 signatures10 process11 dnsIp12 89 C:\Users\user\AppData\...\tmp8786.tmp.exe, PE32 25->89 dropped 33 cmd.exe 25->33         started        36 handler.exe 25->36         started        39 oigmre.exe 25->39         started        41 conhost.exe 28->41         started        131 vadimsva.ucoz.org 195.216.243.20, 443, 49703, 49704 DDOS-GUARDRU United Kingdom 30->131 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 30->91 dropped 93 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 30->93 dropped 95 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 30->95 dropped 97 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 30->97 dropped 43 chrome.exe 1 30->43         started        45 chrome.exe 30->45         started        47 chrome.exe 30->47         started        49 20 other processes 30->49 file13 process14 dnsIp15 137 Uses schtasks.exe or at.exe to add and modify task schedules 33->137 139 Uses ping.exe to check the status of other devices and networks 33->139 51 tmp8786.tmp.exe 33->51         started        55 conhost.exe 33->55         started        67 4 other processes 33->67 121 cdn.discordapp.com 36->121 141 Multi AV Scanner detection for dropped file 36->141 143 Machine Learning detection for dropped file 36->143 123 cdn.discordapp.com 39->123 125 192.168.2.1 unknown unknown 43->125 127 239.255.255.250 unknown Reserved 43->127 57 chrome.exe 43->57         started        59 chrome.exe 45->59         started        61 chrome.exe 47->61         started        63 chrome.exe 49->63         started        65 chrome.exe 49->65         started        69 16 other processes 49->69 signatures16 process17 dnsIp18 111 162.159.133.233, 443, 49854 CLOUDFLARENETUS United States 51->111 113 cdn.discordapp.com 51->113 161 Multi AV Scanner detection for dropped file 51->161 163 Machine Learning detection for dropped file 51->163 165 Encrypted powershell cmdline option found 51->165 167 Injects a PE file into a foreign processes 51->167 71 tmp8786.tmp.exe 51->71         started        75 powershell.exe 51->75         started        115 127.0.0.1 unknown unknown 57->115 117 mc.yandex.ru 87.250.250.119, 443, 49727, 49730 YANDEXRU Russian Federation 57->117 119 7 other IPs or domains 57->119 signatures19 process20 dnsIp21 129 95.214.27.203, 50122, 8080 CMCSUS Germany 71->129 81 C:\Users\user\Desktop\BPMLNOBVSB.exe, PE32 71->81 dropped 83 C:\Users\user\AppData\Local\...\wrapper.exe, PE32 71->83 dropped 85 C:\Users\user\AppData\...\tmpB3E3.tmp.exe, PE32 71->85 dropped 87 29 other malicious files 71->87 dropped 77 conhost.exe 75->77         started        file22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46e9abe7ac68378bb171f81629f4e36291c3889af69045179bbe2e1fee5d1a24/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 22:47:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3u2xz5mna3yxmlr7alct5hdmki4hce262iekf43xyxb73s5disa._file
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:eternity family:redline family:sectoprat botnet:new1 discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230309-y15e4sbg4s/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Eternity
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
85.31.46.182:12767
Unpacked files
SH256 hash:
a6409c057befede7024e601748130c9f191ff06a2a622f37a2ba441e3a10b836
MD5 hash:
e5d000612c8db56d222196021ca80b2e
SHA1 hash:
77df001845cd724c1f883b8002b913d6e1256957
Link:
https://www.unpac.me/results/379d3412-af37-4e9d-9dd5-8c53bd108fe7/
SH256 hash:
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8
MD5 hash:
dbb92d6b3c324f8871bc508830b05c14
SHA1 hash:
4507d24c7d78a24fe5d92f916ed972709529ced0
Link:
https://www.unpac.me/results/379d3412-af37-4e9d-9dd5-8c53bd108fe7/
SH256 hash:
46e9abe7ac68378bb171f81629f4e36291c3889af69045179bbe2e1fee5d1a24
MD5 hash:
0b65c62a9de83a213fce1873edfeb4eb
SHA1 hash:
90e707fda5bcac83b5a7d6d25f481b4746fef511
Link:
https://www.unpac.me/results/379d3412-af37-4e9d-9dd5-8c53bd108fe7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46e9abe7ac68378bb171f81629f4e36291c3889af69045179bbe2e1fee5d1a24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373144/

Comments